Allow geoblock instead of block

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
atomicbox
Forum User
Forum User
Posts: 5
Joined: Fri Feb 20, 2015 8:59 am
Location: Portugal

Allow geoblock instead of block

Unread post by atomicbox »

If we want to allow only 1 or 2 countries in firewall we have to explicitly block all of the rest.

This creates a table with around 250.000 blocked IP networks.

Is there any chance in ASL to reverse this and only add which GEO IPs are allowed and block all the rest?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Allow geoblock instead of block

Unread post by scott »

Kind of like "Only allow country XX" right?
atomicbox
Forum User
Forum User
Posts: 5
Joined: Fri Feb 20, 2015 8:59 am
Location: Portugal

Re: Allow geoblock instead of block

Unread post by atomicbox »

Yes,

Instead of "Block these and allow the rest"...

It would be "Allow these and block the rest"...

In pratical terms it would be the same, the difference would be in performance since you would be loading for example 5.000 IP sets instead of 250.000 depending on how many countries would be on the list.

In the future ASL could even make this decision automatically taking in consideration how many IP sets would be on one option or the other.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Allow geoblock instead of block

Unread post by scott »

For reference that is called an "Unless Allow, Deny" policy, and something we have planned for a future sprint. A great thing about ipsets in general is that you can load gigantic lists (billions definitely, trillions possibly?) in a few milliseconds, so far we really havent hit any kind of bottleneck with handling monster lists.
Post Reply